Analysis
-
max time kernel
142s -
max time network
107s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
-
submitted
10-04-2023 20:31
General
-
Target
e23672950942dc45e4d890db00db898c3c48f11d6e66630974163180474cf476.exe
-
Size
800KB
-
MD5
c72d21c0c4c0c2467ea761f99becfac3
-
SHA1
8445057487e913602a01aeed1db39c43e58a9ba7
-
SHA256
e23672950942dc45e4d890db00db898c3c48f11d6e66630974163180474cf476
-
SHA512
5907c8dc11a387652906e71c7dea828911e8b1e81f067a27e87fbd68a474e9b7ef7c01bcf5e82b49a7a7ef6830680a10dca488a55e9980f98ada83e732bade87
-
SSDEEP
12288:LMrEy90M0CkazwrT3zAwHBFSMKBxK7CWji07JhRr70q+cZbYIjFfy0:/yn0FazC37SMKxfWG01hRfJ/Z/RfH
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
zima
176.113.115.145:4125
-
auth_value
2ef701d510c0d27e8a8e3270281678b1
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 36 IoCs
-
Executes dropped EXE 6 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 1 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 7 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e23672950942dc45e4d890db00db898c3c48f11d6e66630974163180474cf476.exe"C:\Users\Admin\AppData\Local\Temp\e23672950942dc45e4d890db00db898c3c48f11d6e66630974163180474cf476.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziUr7792.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziUr7792.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zidV8056.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zidV8056.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it337773.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it337773.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr472624.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr472624.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp155208.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp155208.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr107437.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr107437.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 1883⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 7003⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 8363⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 8483⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 8803⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 8603⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 10683⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr107437.exeFilesize
231KB
MD5f8117f396c10315824172b564d08490e
SHA196c20a6f156aa6e75f75fa9038a8878d75401138
SHA2567f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba
SHA51260606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr107437.exeFilesize
231KB
MD5f8117f396c10315824172b564d08490e
SHA196c20a6f156aa6e75f75fa9038a8878d75401138
SHA2567f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba
SHA51260606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziUr7792.exeFilesize
536KB
MD50c1e45c06292ec4e62ece377660ad2f0
SHA198e1e042743dc6f19aa141b1a76071e2a8b8cf68
SHA256610304aab64cc9b4e067be62c657caf718c97dc892aa93df09bf14d741e868ea
SHA512ecff305b943ff8655af99fbce4f5b3e0cf11c6e197b9803d213dbc57e2116f045c9817a978181cc91ba09d2b19a765e70c345b2910470086965711f11c3b0050
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziUr7792.exeFilesize
536KB
MD50c1e45c06292ec4e62ece377660ad2f0
SHA198e1e042743dc6f19aa141b1a76071e2a8b8cf68
SHA256610304aab64cc9b4e067be62c657caf718c97dc892aa93df09bf14d741e868ea
SHA512ecff305b943ff8655af99fbce4f5b3e0cf11c6e197b9803d213dbc57e2116f045c9817a978181cc91ba09d2b19a765e70c345b2910470086965711f11c3b0050
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp155208.exeFilesize
169KB
MD5ec2bb8ead86fef2cc01f68ce9423cd88
SHA188ea19c43a5be1693ebe3afd12e13ae8c3e0927d
SHA256a696ded6dc9a3749e3ba3db7504d1890107e6de38c54a9ac7f3bff4d1a8d640e
SHA512554dce41697d3b8f4896bf34417fb08fa0e27bd6e8a8d351b47a1ba7a8f062adc08072140f2e44731846dc876b130389a7408836b5b06ec50905223403c993c6
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp155208.exeFilesize
169KB
MD5ec2bb8ead86fef2cc01f68ce9423cd88
SHA188ea19c43a5be1693ebe3afd12e13ae8c3e0927d
SHA256a696ded6dc9a3749e3ba3db7504d1890107e6de38c54a9ac7f3bff4d1a8d640e
SHA512554dce41697d3b8f4896bf34417fb08fa0e27bd6e8a8d351b47a1ba7a8f062adc08072140f2e44731846dc876b130389a7408836b5b06ec50905223403c993c6
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zidV8056.exeFilesize
382KB
MD5bdb61898cd0f17b805852fae09b828f6
SHA1c417b81ccb25ca2d597d1b0a13aad814a59538dd
SHA25622ebf94a1b44773f697e0c1f5e8e35f925ea503943785965e372d3fd307ffba8
SHA51210a39a835f9866a42284f59c6176305c94384db3bcad936dde389ccc9dd89c0eb5af36409f438bf38e1a79fc64aaf727468ca59577dbde698acfd452502062c1
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zidV8056.exeFilesize
382KB
MD5bdb61898cd0f17b805852fae09b828f6
SHA1c417b81ccb25ca2d597d1b0a13aad814a59538dd
SHA25622ebf94a1b44773f697e0c1f5e8e35f925ea503943785965e372d3fd307ffba8
SHA51210a39a835f9866a42284f59c6176305c94384db3bcad936dde389ccc9dd89c0eb5af36409f438bf38e1a79fc64aaf727468ca59577dbde698acfd452502062c1
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it337773.exeFilesize
11KB
MD5ab6aaa4878242cde917ba29009eb9387
SHA1324597641b4509f315af3ff7fce7bf7b9c6050b9
SHA256f31696e7284e94480a01187576f48085e9c7bff262adbedde26bf43e1d411f97
SHA51237941c837b5eb365189afea1c169aa2341ffe33f75ad5de71a7a1fffbe34dbd50a330077369989bb4602b523277412dcb0218ee070e707a84fa36a9ba35ea4a4
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it337773.exeFilesize
11KB
MD5ab6aaa4878242cde917ba29009eb9387
SHA1324597641b4509f315af3ff7fce7bf7b9c6050b9
SHA256f31696e7284e94480a01187576f48085e9c7bff262adbedde26bf43e1d411f97
SHA51237941c837b5eb365189afea1c169aa2341ffe33f75ad5de71a7a1fffbe34dbd50a330077369989bb4602b523277412dcb0218ee070e707a84fa36a9ba35ea4a4
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr472624.exeFilesize
297KB
MD5a40bdc92af6a9e887e1d9200cfa625a4
SHA149a998a093b9a245670ad1eed56e714d53ed8a42
SHA2569c8622140a16da44e061f9434a8555cf3a4593f6c95c07e2508c9370e41f1d4c
SHA512d39d9cb5d1043fdc06e0c35254e5efb22c1008667d0f82b0dacaf30c5f8419229a52e87c13f1f8855c9032c8dc9e8bf49b047a01ffab86b9b7cae6446cc851f6
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr472624.exeFilesize
297KB
MD5a40bdc92af6a9e887e1d9200cfa625a4
SHA149a998a093b9a245670ad1eed56e714d53ed8a42
SHA2569c8622140a16da44e061f9434a8555cf3a4593f6c95c07e2508c9370e41f1d4c
SHA512d39d9cb5d1043fdc06e0c35254e5efb22c1008667d0f82b0dacaf30c5f8419229a52e87c13f1f8855c9032c8dc9e8bf49b047a01ffab86b9b7cae6446cc851f6
-
memory/1640-141-0x00000000004E0000-0x00000000004EA000-memory.dmpFilesize
40KB
-
memory/3476-185-0x0000000004A60000-0x0000000004A9F000-memory.dmpFilesize
252KB
-
memory/3476-201-0x0000000004A60000-0x0000000004A9F000-memory.dmpFilesize
252KB
-
memory/3476-149-0x0000000004B20000-0x000000000501E000-memory.dmpFilesize
5.0MB
-
memory/3476-150-0x0000000004A60000-0x0000000004AA4000-memory.dmpFilesize
272KB
-
memory/3476-151-0x0000000004A60000-0x0000000004A9F000-memory.dmpFilesize
252KB
-
memory/3476-152-0x0000000004A60000-0x0000000004A9F000-memory.dmpFilesize
252KB
-
memory/3476-154-0x0000000004A60000-0x0000000004A9F000-memory.dmpFilesize
252KB
-
memory/3476-156-0x0000000004A60000-0x0000000004A9F000-memory.dmpFilesize
252KB
-
memory/3476-158-0x0000000004A60000-0x0000000004A9F000-memory.dmpFilesize
252KB
-
memory/3476-160-0x0000000004A60000-0x0000000004A9F000-memory.dmpFilesize
252KB
-
memory/3476-162-0x0000000004A60000-0x0000000004A9F000-memory.dmpFilesize
252KB
-
memory/3476-164-0x0000000004B10000-0x0000000004B20000-memory.dmpFilesize
64KB
-
memory/3476-165-0x0000000004A60000-0x0000000004A9F000-memory.dmpFilesize
252KB
-
memory/3476-168-0x0000000004B10000-0x0000000004B20000-memory.dmpFilesize
64KB
-
memory/3476-169-0x0000000004A60000-0x0000000004A9F000-memory.dmpFilesize
252KB
-
memory/3476-171-0x0000000004A60000-0x0000000004A9F000-memory.dmpFilesize
252KB
-
memory/3476-166-0x0000000004B10000-0x0000000004B20000-memory.dmpFilesize
64KB
-
memory/3476-173-0x0000000004A60000-0x0000000004A9F000-memory.dmpFilesize
252KB
-
memory/3476-175-0x0000000004A60000-0x0000000004A9F000-memory.dmpFilesize
252KB
-
memory/3476-177-0x0000000004A60000-0x0000000004A9F000-memory.dmpFilesize
252KB
-
memory/3476-179-0x0000000004A60000-0x0000000004A9F000-memory.dmpFilesize
252KB
-
memory/3476-181-0x0000000004A60000-0x0000000004A9F000-memory.dmpFilesize
252KB
-
memory/3476-183-0x0000000004A60000-0x0000000004A9F000-memory.dmpFilesize
252KB
-
memory/3476-147-0x0000000000590000-0x00000000005DB000-memory.dmpFilesize
300KB
-
memory/3476-187-0x0000000004A60000-0x0000000004A9F000-memory.dmpFilesize
252KB
-
memory/3476-189-0x0000000004A60000-0x0000000004A9F000-memory.dmpFilesize
252KB
-
memory/3476-191-0x0000000004A60000-0x0000000004A9F000-memory.dmpFilesize
252KB
-
memory/3476-193-0x0000000004A60000-0x0000000004A9F000-memory.dmpFilesize
252KB
-
memory/3476-195-0x0000000004A60000-0x0000000004A9F000-memory.dmpFilesize
252KB
-
memory/3476-197-0x0000000004A60000-0x0000000004A9F000-memory.dmpFilesize
252KB
-
memory/3476-199-0x0000000004A60000-0x0000000004A9F000-memory.dmpFilesize
252KB
-
memory/3476-148-0x0000000002280000-0x00000000022C6000-memory.dmpFilesize
280KB
-
memory/3476-203-0x0000000004A60000-0x0000000004A9F000-memory.dmpFilesize
252KB
-
memory/3476-205-0x0000000004A60000-0x0000000004A9F000-memory.dmpFilesize
252KB
-
memory/3476-207-0x0000000004A60000-0x0000000004A9F000-memory.dmpFilesize
252KB
-
memory/3476-209-0x0000000004A60000-0x0000000004A9F000-memory.dmpFilesize
252KB
-
memory/3476-211-0x0000000004A60000-0x0000000004A9F000-memory.dmpFilesize
252KB
-
memory/3476-215-0x0000000004A60000-0x0000000004A9F000-memory.dmpFilesize
252KB
-
memory/3476-213-0x0000000004A60000-0x0000000004A9F000-memory.dmpFilesize
252KB
-
memory/3476-217-0x0000000004A60000-0x0000000004A9F000-memory.dmpFilesize
252KB
-
memory/3476-1060-0x0000000005020000-0x0000000005626000-memory.dmpFilesize
6.0MB
-
memory/3476-1061-0x0000000005660000-0x000000000576A000-memory.dmpFilesize
1.0MB
-
memory/3476-1062-0x00000000057A0000-0x00000000057B2000-memory.dmpFilesize
72KB
-
memory/3476-1063-0x0000000004B10000-0x0000000004B20000-memory.dmpFilesize
64KB
-
memory/3476-1064-0x00000000057C0000-0x00000000057FE000-memory.dmpFilesize
248KB
-
memory/3476-1065-0x0000000005910000-0x000000000595B000-memory.dmpFilesize
300KB
-
memory/3476-1067-0x0000000005AA0000-0x0000000005B32000-memory.dmpFilesize
584KB
-
memory/3476-1068-0x0000000005B40000-0x0000000005BA6000-memory.dmpFilesize
408KB
-
memory/3476-1069-0x0000000004B10000-0x0000000004B20000-memory.dmpFilesize
64KB
-
memory/3476-1070-0x0000000004B10000-0x0000000004B20000-memory.dmpFilesize
64KB
-
memory/3476-1071-0x0000000004B10000-0x0000000004B20000-memory.dmpFilesize
64KB
-
memory/3476-1072-0x0000000006250000-0x0000000006412000-memory.dmpFilesize
1.8MB
-
memory/3476-1073-0x0000000006420000-0x000000000694C000-memory.dmpFilesize
5.2MB
-
memory/3476-1074-0x0000000006B90000-0x0000000006C06000-memory.dmpFilesize
472KB
-
memory/3476-1075-0x0000000006C10000-0x0000000006C60000-memory.dmpFilesize
320KB
-
memory/3476-1076-0x0000000004B10000-0x0000000004B20000-memory.dmpFilesize
64KB
-
memory/3612-1092-0x0000000000580000-0x00000000005BB000-memory.dmpFilesize
236KB
-
memory/4736-1082-0x00000000003A0000-0x00000000003D0000-memory.dmpFilesize
192KB
-
memory/4736-1083-0x0000000000BB0000-0x0000000000BB6000-memory.dmpFilesize
24KB
-
memory/4736-1084-0x000000000A2B0000-0x000000000A2FB000-memory.dmpFilesize
300KB
-
memory/4736-1085-0x0000000004C70000-0x0000000004C80000-memory.dmpFilesize
64KB
-
memory/4736-1086-0x0000000004C70000-0x0000000004C80000-memory.dmpFilesize
64KB